1. Technical Field
The present invention generally relates to an apparatus and method for performing a real-time network antivirus function and, more particularly, to an apparatus and method that can perform, at high speed, real-time antivirus scanning on a transmission file in a network to be protected and blocking of malicious file transmission traffic over the network.
2. Description of the Related Art
Generally, antivirus software denotes a computer program equipped with a function of finding and removing a malicious file. Such antivirus software performs the task of determining whether the signature of an inspection target file is present in signatures recorded in a virus database (DB).
Existing methods of performing antivirus scanning over a network include an antivirus performance method using a proxy server. A proxy server is a computer machine for relaying a connection request and communication between a client and a server. There is an advantage in that the details requested by the proxy server may be stored in a cache, and in that the transmission time may be reduced because a client does not directly access a remote server. In this case, a file stored in the cache of the proxy server may be scanned using an antivirus program. Further, the proxy server delays a response to the request of the client until antivirus scanning is completed, block the client's access if it is determined that the file is a malicious file, and registers the corresponding file in a blacklist cache. Accordingly, other clients may be prevented from being infected with the malicious file.
However, the use of a proxy server is accompanied by issues related to security and performance. Further, the use of a proxy server results in a problem with personal information protection (privacy) because data requested or submitted by a user is stored in a cache for a predetermined period of time. Also, when a proxy server is infected with malicious code (malware) or the like, there is the concern that the stored data will be leaked to the outside of the proxy server. Furthermore, since the client is not directly connected to the remote server, and a dual connection structure, including the client-proxy connection and the proxy-remote server connection, is implemented, the problem of network transmission delay may arise.
In order to solve this problem, a method of performing an antivirus function in real time in a network using a network packet monitoring system such as an Intrusion detection and prevention system (IDPS) may be attempted. IDPS equipment functions to perform Deep Packet Inspection (DPI) on network packets, and generate a log for a packet corresponding to a detection rule or block the corresponding packet.
In order to perform an antivirus function over the network using such IDPS equipment, a file must be reconstructed by parsing transmission data streams, and must be stored in memory or on disk. Thereafter, a signature may be generated for the stored file, and then an antivirus function may be performed.
However, a performance load occurs upon storing a reconstructed file, and the load of the signature generation task is variable depending on the size of the original file. Therefore, it is difficult to complete antivirus scanning on a file and additionally perform packet blocking in real time before a transmission data stream is completed.
As related preceding technology, U.S. Patent Application Publication No. 2013-0097666 discloses technology for improving the transmission efficiency of a proxy gateway using a pre-classifier in a proxy gateway antivirus system, which corresponds to a method of performing an antivirus function over a network.
As another preceding technology, a paper entitled “Designing an Integrated Architecture for Network Content Security Gateways” (published by Ying-Dar Lin and three others) was published in IEEE Computer Volume 39, Issue 11, Page 66-72, in November, 2006. This paper discloses technology for configuring a proxy so that a gateway can inspect mail content and for preventing malicious mail or a malicious file from being transferred to a recipient by adding an anti-spam function and an antivirus function.